The Hacker News — Cyber Security, Hacking, Technology News

Earlier this year, in the month of July it was first discovered that 99% of Android devices are vulnerable to a flaw called "Android Master Key vulnerability" that allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the device.

The vulnerability was also responsibly disclosed to Google back in February by Bluebox and but the company did not fix the issue even with Android 4.3 Jelly Bean. Later, Google has also modified its Play Store’s app entry process so that apps that have been modified using such exploit are blocked and can no longer be distributed via Play.

Security researcher Jay Freeman has discovered yet another Master Key vulnerability in Android 4.3, which is very similar to the flaw reported by Android Security Squad in July.Jay Freeman, perhaps better known as Saurik for Cydia Software, an application for iOS that enables a user to find and install software packages on jailbrokeniOS Apple devices such as the iPhone.

He demonstrated the flaw with a proof of concept exploit, written in Python language.

On Android, all applications are signed by their developers using private cryptographic keys; it is by comparing the certificates used to verify these signatures that Android's package manager determines whether applications are allowed to share information, or what permissions they are able to obtain.

Even the system software itself is signed by the manufacturer of the device and the applications signed by that same key are thereby able to do anything that the system software can.

Like the previous master key bugs, Saurik's exploit allows a hacker to gain complete access to your Android device via a modified system APK, with its original cryptographic key being untouched.

This way the malware can obtain full access to Android system and all applications (and their data) with dangerous system permissions.

Users are advised to download apps or app updates only from trusted sources, preferably from official sources or app stores. Saurik has also updated his Cydia Impactor for Android to include a patch for this bug.

Recently, the source code for Android 4.4 was released in Android Open Source Project, which included a patch for all previously known Android Master Key vulnerabilities.

Update: We have updated the story, and made some correction after Saurik comment, 'the bug I am describing is a bug in Android 4.3, not Android 4.4. The fix for it was included in the code release for Android 4.4, and since it is now disclosed there is no harm to the open device community to describe the bug in public; devices that currently have no exploit are there by now exploitable.'

Almost all Android handsets are vulnerable to a flaw that could allow hackers to seize control of a device to make calls, send texts, or build a mobile botnet, has been uncovered by Bluebox Security .i.e almost 900 million Android devices globally.

Or simply, The Flaw allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.

When an application is installed and a sandbox is created for it, Android records the application's digital signature and all subsequent updates for that application need to match its signature in order to verify that they came from the same author and anything without the signature certificate won’t install or run on a user’s device.

The vulnerability has existed since at least Android 1.6, which means that it potentially affects any Android device released during the last four years. Samsung’s flagship Galaxy S4 has already been patched, so it is likely that manufacturers have quietly sprung into action.

Vulnerability is particularly dangerous because of the way many big-name companies have granted Android devices running on their networks additional privileges. After bypassing Android's app-signing model to take the place of such an app, rogue malware can obtain full access to Android system and all applications (and their data) currently installed.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," said Bluebox on the potential risks.

Bluebox disclosed the vulnerability to Google in February, but said that it was up to individual handset manufacturers to issue patches. Google hasn't responded to a request for comment.

However, Google has blocked distribution of apps exploiting the flaw in Google Play, although if user to is tricked into manually installing a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store.